Pentagon: Yep, We Got Hacked

U.S. Deputy Secretary of Defense William S. Lynn III has admitted that the Pentagon suffered a serious security breach in 2008, an incident he categorized as "the most significant breach of U.S. military computers ever." Though the breach was reported in the press at the time, the DoD has only now publicly acknowledged that it occurred -- and that it took 14 months to clean up the mess left behind.

By John P. Mello Jr.
08/26/10 9:09 AM PT

A "significant compromise" of U.S. military networks has been acknowledged by the Pentagon two years after the breach was reported in the press.

"In 2008, the U.S. Department of Defense suffered a significant compromise of its classified military computer networks," Deputy Secretary of Defense William S. Lynn III wrote in an article in the September/October issue of Foreign Affairs.

"It began when an infected flash drive was inserted into a U.S. military laptop at a base in the Middle East," he explained. "The flash drive's malicious computer code, placed there by a foreign intelligence agency, uploaded itself onto a network run by the U.S. Central Command.

"That code spread undetected on both classified and unclassified systems," he continued, "establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control."

"This previously classified incident was the most significant breach of U.S. military computers ever, and it served as an important wake-up call," he added.

Excuse Me, We've Been Hacked

The Pentagon's official acknowledgement of the data breach at Central Command occurs nearly two years after The Los Angeles Times reported the incident in November 2008.

He remembered attending a dinner with six people on the night the military discovered the breach when one of the diners from Homeland Security's National Cyber Security division excused himself from the repast after receiving a message on his BlackBerry. "DOD just had a major hack," he recalled the official saying. "I have to leave."

He added that he has heard General Keith Alexander, recently appointed to head the new U.S. Cyber Command, allude to the attack at unclassified forums at the National Security Agency in the past.

Bumbling Spies?

Although in his article Lynn attributes the 2008 attack on Central Command to a foreign intelligence agency, that has been challenged in some corners of Cyberspace.

Citing an anonymous source, Wired magazine reported that the military has never been sure who was responsible for infecting Central Command's networks.

"Some guys wanted to reach out and touch someone," the source told Wired. "But months later, we were still doing forensics. It was never clear, though. The code was used by Russian hackers before. But who knows?"

The malware originating from the infected USB drive was dubbed "Agent.btz." It's a variation of the SillyFDC worm. According to Wired, the worm's ability to compromise classified information is limited because it requires open access to the public Internet to work effectively.

"SIPRNet, the military's secret network, and JWICS, its top secret network, have only the thinnest of connections to the public Internet," Wired explained. "Without those connections, intruders would have no way of exploiting the backdoor, or indeed of even knowing that agent.btz had found its way into the CENTCOM network."

That raises the question of why foreign agents would try to infect a military network with a worm that would have very little chance of producing anything useful.

Scary Situation

Although the worm infecting Central Command's computers doesn't appear to be anything exotic, it still took military sanitizers 14 months to clean up the infection. That is frightening news to some computer security pros.

Chet Wisniewski, a security adviser with antimalware software maker Sophos, asserted that Lynn's article paints a bleak picture of computer security in the military. "It implies that the controls at the Pentagon are bad or worse than the average corporate environment," he told TechNewsWorld. "That's quite scary when you consider what they're responsible for handling."

As scary as the attack on Central Command's computers may be for security pros, cyberattacks in general haven't been able to generate much fear in the public at large. That may be why the Pentagon has chosen this moment to come clean on the Central Command breach.

"DoD has been a little frustrated with the pace of cybersecurity in the sense that a lot of people in the public don't take it very seriously," observed Senior Fellow Lewis.

"People usually don't know about intelligence disasters, and by telling them about it hopefully you can gin up some public support," he added.